Submitted by Christian Schneider on Fr, 2010-08-27 13:53

Serendipity 1.5.4 has been released and addresses some minor bugfixes as well as a XSS security issue discovered and reported by High-Tech Bridge. The XSS is only exploitable though, if you are using the "Remember me" feature in the Serendipity backend to login. Thanks to the quick notification by the team we were able to fix the issue within 24 hours, as with all past security issues.

The XSS-issue can easily be patched by only replace the file include/functions_config.inc.php with the new file (link), or by applying this patch.

Other bugfixes that come with the new Serendipity 1.5.4 release are:

Fix PHP 5.3.2 parse error in a file, thanks to fyremoon

Fix SQL query statement for deleting a category, which on some DB types (SQlite) might not return "true" and thus not really delete the category.

Include license output in plugin listing

Fix escaping when using ImageMagick to create PDF-thumbnail images

Add new template variable to feed*.tpl files to support new plugins like pubsubhubbub, so that plugins can embed data to the main XML element

Submitted by Christian Schneider on Di, 2008-04-22 12:30

erendipity 1.3.1 has been released. This is a bugfix and security related release, basically adressing a potential XSS issue within the Top Referrers plugin as well as hypothetical XSS issues with the installer.

This release also adresses some basic PostgreSQL8 related problems, because implicit type casts have been removed from this version, causing breakage with several Serendipity core features. The fix for this is only partial and will still happen in (less common) functions of Serendipity. There is no ultimate solution to this because implicit type casts are required for certain entryproperty operations. Maybe the PostgreSQL8 team will think about if implicit type casts are not also quite helpful.

The only new feature addition is the exposition of a new smarty {serendipity_getImageSize} function.

This upgrade is recommended for users that use the Top Referrers plugin and new installations of Serendipity. Many thanks to Hanno Böck, once again, for reporting (and fixing) the two XSS issues (CVE-2008-1385 and CVE-2008-1386)!

You can find the new release on the s9y.org download page. Upgrade by simply uploading the deflated archive files to your webspace.

The karma rating plugin has been upgraded to support nice, CSS-based rating graphics (see this post) and an overall rehaul on the its coding.

Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.

An importer for phpNuke and lifetype has been added.

Support for pingbacks has been improved a lot. Trackbacks can now be blocked based on Sender IP checks.

Add better CSS styling for some internal plugins and the embedding of images. Also made the Remote-RSS plugin to be capable of Smarty-Templating.

Increased Smarty templating features for the {serendipity_fetchPrintEntries} function, to be able to check for entry properties.

Add support for SQRelay.

Minor CSS and graphic updates to the Bulletproof template.

The full list of 41 changes to this release are documented within the NEWS file.

Regarding Security, the bundled Smarty library has been updated to version 2.6.19 and adresses an issue in environments where the PHP security mode is required. Also, the new Serendipity release contains tighter backend XSS checks so that environments with untrusted authors can be more secure - many thanks to Hanno Böck for addressing this. Most importantly, an issue with XSS attacks within received trackbacks has been discovered by Peter Hüwe and was fixed.

The update is easy as usual, and recommended for Serendipity users - especially if you do not regularly moderate or check your incoming trackbacks.

Upgrade pointers can be found in the FAQ and is as easy as just to upload the new files.